The Texas legislature has passed the Texas Data Privacy and Security Act, which will now head to the desk of the state governor, Greg Abbott, who is expected to sign the Act into law. Comprehensive data privacy laws are already in effect in California and Virginia, and Colorado, Connecticut, and Utah will see their data privacy laws start to be enforced later this year. Data privacy laws have also been passed in Indiana, Iowa, Florida, Montana, Tennessee, and Washington this year.
The Texas Data Privacy and Security Act adopts a broad definition of personal data, which is any information that is linkable or reasonably linkable to an individual, including pseudonymous information that could be combined with other information to allow an individual to be identified. The law will apply to any person that conducts business in the state of Texas that provides products or services that are consumed by Texas residents that process or engage in the sale of personal data. ‘Sale’ covers disclosures of personal data for monetary gain or other valuable consideration.
No threshold has been set for company revenue or minimum data processing levels; however, small businesses, as defined by the United States Small Business Administration, are exempt but are required to obtain consent before selling the sensitive data of Texas residents. Compliance with the Texas Data Privacy and Security Act will not be required by entities covered by the Health Insurance Portability and Accountability Act (HIPAA) or Gramm-Leach-Bliley Act (GLBA), nor non-profits and higher education institutions.
Data controllers will be required to obtain consent before processing a consumer’s sensitive data, which is any data that reveals an individual’s racial or ethnic origin, religious beliefs, mental/physical health diagnosis, sexuality, or citizenship/immigration status, as well as genetic/biometric data processed to identify individuals, personal data collected from a known child, and precise geolocation data (within a 1,750 ft. radius). The sale of sensitive data is only permitted if consumers are specifically told sensitive data will be sold in the organization’s privacy notice. Organizations are prohibited from obtaining consent using ‘dark patterns’ – The manipulation of individuals into providing consent, such as by impairing user autonomy, decision-making, or choice.
The Texas Data Privacy and Security Act will give consumers new rights over their personal information:
- The right to confirm if a data controller is processing their personal data and to access that data
- The right to correct inaccuracies in their personal data
- The right to have personal data deleted
- The right to obtain a portable copy of their personal data
- The right to opt-out of processing for (a) targeted advertising, (b) the sale of their personal data, and (c) automated profiling.
All data controllers are required to conduct data protection assessments of processing activities that involve the sale of personal data, targeted advertising, profiling, sensitive information, or any activity that carries a heightened risk of harm to consumers.
The Texas Attorney General will enforce compliance, although data controllers and processors will be allowed to cure any violation within 30 days. If corrective action is not taken within 30 days, civil monetary penalties can be imposed of up to $7,500 per violation plus reasonable attorneys’ fees and expenses. If signed into law, the majority of the provisions of the Texas Data Privacy and Security Act will have a compliance date of March 1, 2024. Compliance with the out-out provisions will not become enforceable until January 1, 2025.